rework heatmap permissions (#14080)

* now uses the same permission model as for the activity feed: only include activities in repos, that the doer has access to. this might be somewhat slower. * also improves handling of user.KeepActivityPrivate (still shows the heatmap to self & admins) * extend tests * adjust integration test to new behaviour * add access to actions for admins * extend heatmap unit tests
2025-07-22 18:28:37 +00:00 · 2020-12-22 02:53:37 +00:00
parent 2c9dd71140
commit f6bec85296
8 changed files with 113 additions and 69 deletions
--- a/models/user_heatmap.go
+++ b/models/user_heatmap.go
@@ -16,10 +16,10 @@ type UserHeatmapData struct {
 }

 // GetUserHeatmapDataByUser returns an array of UserHeatmapData
-func GetUserHeatmapDataByUser(user *User) ([]*UserHeatmapData, error) {
+func GetUserHeatmapDataByUser(user *User, doer *User) ([]*UserHeatmapData, error) {
 	hdata := make([]*UserHeatmapData, 0)

-	if user.KeepActivityPrivate {
+	if !activityReadable(user, doer) {
 		return hdata, nil
 	}

@@ -37,22 +37,26 @@ func GetUserHeatmapDataByUser(user *User) ([]*UserHeatmapData, error) {
 		groupByName = groupBy
 	}

-	sess := x.Select(groupBy+" AS timestamp, count(user_id) as contributions").
-		Table("action").
-		Where("user_id = ?", user.ID).
-		And("created_unix > ?", (timeutil.TimeStampNow() - 31536000))
-
-	// * Heatmaps for individual users only include actions that the user themself
-	//   did.
-	// * For organizations actions by all users that were made in owned
-	//   repositories are counted.
-	if user.Type == UserTypeIndividual {
-		sess = sess.And("act_user_id = ?", user.ID)
+	cond, err := activityQueryCondition(GetFeedsOptions{
+		RequestedUser:  user,
+		Actor:          doer,
+		IncludePrivate: true, // don't filter by private, as we already filter by repo access
+		IncludeDeleted: true,
+		// * Heatmaps for individual users only include actions that the user themself did.
+		// * For organizations actions by all users that were made in owned
+		//   repositories are counted.
+		OnlyPerformedBy: !user.IsOrganization(),
+	})
+	if err != nil {
+		return nil, err
 	}

-	err := sess.GroupBy(groupByName).
+	return hdata, x.
+		Select(groupBy+" AS timestamp, count(user_id) as contributions").
+		Table("action").
+		Where(cond).
+		And("created_unix > ?", (timeutil.TimeStampNow() - 31536000)).
+		GroupBy(groupByName).
 		OrderBy("timestamp").
 		Find(&hdata)
-
-	return hdata, err
 }